[openssl-users] Cannot read exported PKCS12 cert and private key

Gary L Peskin garyp at firstech.com
Mon Mar 13 16:26:21 UTC 2017 

Thanks VERY much Michael.  That did the trick.  This was a homegrown CA cert and I needed it to sign a certificate request for testing purposes.

 

I didn’t realize that the openssl pkcs12 utility didn’t support PEM encoding for input.  I was a little confused I guess by the documentation which shows PEM encoding for “-in filename” but I see now that that’s for when exporting a PKCS#12 file, not for parsing one.

 

Thanks again for clearing this up.  It’s weird that MS supports this input format but openssl does not. I thought openssl could do EVERYTHING.  😊

 

Thanks,

Gary

 

From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of Michael Wojcik
Sent: Monday, March 13, 2017 8:58 AM
To: openssl-users at openssl.org
Subject: Re: [openssl-users] Cannot read exported PKCS12 cert and private key

 

I'll assume you mean you exported it "from a mainframe system" using RACF. RACF has half a dozen export formats for certificates and keys; they're not all supported by OpenSSL.

 

In particular (and despite the PEM delimiters), I suspect what you have here is a PKCS#12 file in PEM format. The openssl pkcs12 utility doesn't support PEM encoding, because that's not normally done. RACF will do it, though, just to be difficult.

 

openssl asn1parse -in file -inform pem shows you have valid ASN.1 data, with a big ol' blob at offset 26; adding -strparse 26 shows encrypted data. So yes, looks like PKCS#12.

 

So, try this:

1. Edit the file and remove the PEM delimiters ("---- BEGIN CERTIFICATE ----" and "----- END CERTIFICATE ----").

2. Convert the data from Base64 to binary:
                openssl base64 -d -in file -out file.der

3. Unpack it:

                openssl pkcs12 -in file.der -nokeys -out file-cert.pem

                openssl pkcs12 -in file.der -nocerts -out file-key.pem

 

Note the final openssl command will prompt you for the password to encrypt the key file with; if you don't want your private key encrypted, you can also specify -nodes.

 

You can use openssl pkcs12 just once, without the -nokeys / -nocerts options, but that will put your certificate and key in the same file, which is generally not what you want with OpenSSL.

 

Of course, you haven't told us what you're trying to do, so I'm just guessing.

 

Also, I can't verify this, because I don't have the import password for your PKCS#12 file.

 

 

Michael Wojcik 
Distinguished Engineer, Micro Focus 

 

 

 

From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of Gary L Peskin
Sent: Monday, March 13, 2017 08:39
To: openssl-users at openssl.org <mailto:openssl-users at openssl.org> 
Subject: Re: [openssl-users] Cannot read exported PKCS12 cert and private key

 

My original message accidently included an attachment.  Please ignore the attachment.  That was not related to this issue.

 

Thanks,

Gary

 

From: Gary L Peskin [mailto:garyp at firstech.com] 
Sent: Monday, March 13, 2017 2:28 AM
To: 'openssl-users at openssl.org' <openssl-users at openssl.org <mailto:openssl-users at openssl.org> >
Subject: Cannot read exported PKCS12 cert and private key

 

Hello all

 

I exported a certificate and corresponding private key in base 64 encoded DER format from a mainframe system and FTP’d it to my Windows desktop.

 

I tried to read it using OpenSSL 1.0.2.k and 1.1.0d 32-bit and 64-bit on Windows with 

 

openssl pkcs12  -in mycert.p12  -noout

 

But I get the following messages:

 

15956:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:.\crypto\asn1\tasn_dec.c:1199:

15956:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:.\crypto\asn1\tasn_dec.c:374:Type=PKCS12

 

I’m able to import this with the private key into the Windows certificate store with no issues.

 

Can someone please advise as to what I’m doing wrong?

 

Thanks,

Gary

 

PS Here is the file:

 

-----BEGIN CERTIFICATE-----

MIIKCAIBAzCCCcQGCSqGSIb3DQEHAaCCCbUEggmxMIIJrTCCBE8GCSqGSIb3DQEH

BqCCBEAwggQ8AgEAMIIENQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQMwDgQIjdBS

+TZF+xQCAgP5gIIECNtJIUg23ab7AXi33MKueO03S1pUkHCQk+kByNK/6f1FgEvu

XRqhniR3mdyzeMVBCrCBSx3GhZlpLcW/d6OAd3z8hbXjvw5OC5OLavemfRNtsi+R

q9LggkcWT2oCszc2nglKzHYaFnkG80vwxLwUXmROL+UK4ZlYmqp46EjuNAEo/yqQ

yEwgia3iP84wiZRfY9kBJMq9yUm+LvowO/1E9v/ycgE6IWe1CrThQzrD6Vm9LaTy

0oZqAbTbzbedZwGsuWZoedw2FtmRijkH5EbRNRpTrUUO/qQMO19v5IKtd4kUAWea

dpYrwn1kkD2aInKKsjycCFtGopXPbmrqj2cm335cESN4XePBHQuzaywHgd0WjU5O

++UM+B/5Kpx3af53E412pGAcgnPH/ZQKMa5Zkp73pcFmViLEC7Tn9eNB2iNUfX9p

rV3RNRnrEPZlD1MuYEkmBIWA5czUiDKrpyYA1fmrSsFthFMhD5fTVoDMSTBmNXPz

5B8HYW4+aDbo7N2a+BtFNcbMqYJqYwVL7xE2rL6nUedMyN2uKeZfOnLLQuYoUCg7

iYO5k7D/jQNsviyZg022Nzwy4agdPBKqok8oanQge8/pr3NeMrNDDKVyWy8ZBVBv

KGi3qaX45ejJxP8XaJxxw88+KOc1OvAMhWhAHlHqpw9d7OiAP1oCV+vRuYnD5N9a

YyLspoKy1nk+Htl71QQ4GYCRRGXMl7YsxtRrUSOAZa2+V/5h6ljUsTsib3VhO0eL

/jf+BlBxhpWw1J9L0r6sFMYvVS3AsqfqnBLJUFLxeQxYvVsV0Gpx8BonpZACQC91

DB4oV0l6whqtAQ4dJMJEk9nNnP0NYsVceKybF5NvgL3lzALw/Ezv8K7Y69FJaM35

LrT9JlGSt/BJ0oXp4wxqH4UbHikhGpSCteh7k3ZQkbE4fokVhH9lYkMXqBRXqXlI

nV9b7hR26NeJY0C7a9VyNXtzIVsP+JiBhDzc7GDafIF99fUHPVfqh15CPnTb5liZ

A6QlYw1aVvyhS8ST4I117kALKWUdl9xhe+ui0IFCEQY/mNuQ8O13nlcx+DvGtPxc

WCUG0VpP6AkE9Mkd67CghF6sFh/8FqdE1jU2Asj+iCZVU/s0ngH3hAXwMVUwOW9S

voxYParz1b0sF7vgrhLteHOZ03TEra7rh7OiOVUCOE6CACG1qV8QXDvpkZp2mGTx

5T7ob8nNF8XQWhIHjULVdKdOBuMh/4dOrHTuU5cFosR29mbzAZDDi0myuzTv37GJ

OgyiX0XXvwn5jCmAoaE0ji1fgxrWUs8yVYYHOj3IyQwzU+FydfKtlnhh8ZxHKDBo

8wPqrEAzTXT49bsxvy3cYxUp4Dd1G2ymkoTZonEi7Vir0kN7qjCCBVYGCSqGSIb3

DQEHAaCCBUcEggVDMIIFPzCCBTsGCyqGSIb3DQEMCgECoIIE7jCCBOowHAYKKoZI

hvcNAQwBAzAOBAh2oqSgVyE4cwICA/EEggTInCkEbWknH/Vojqzmn1jIPRGb7dG+

egxS5YDtk14LxnQuwACTQef2wQnKlosYbfH8dJVIvXRYB19MXroGpd5KJA8Dftqa

dWFVAcDIrzV/ZS252aita0fKOVeqjKWo7TkA9jnwDeekAcK+1R5ioIcfXPLJDSUX

gdEaza88oQ+g+34+B2o+mnTPT/PM/o1n6cifVRURn2jMASwiB/cwLn58UZibCSgL

h3CrcKamWi8AF3eJ2rkpPuK41s8SfqZ1ByNEFSgnsX5UQzJpn8FoBPBOmFnR8FTr

XNwtT7GcJJuWDSnf+On2PI2LYT6XAhNeCkfMwdnUa6N1YV2Okelmae4J21sldQlw

ATZFiuigyPMFF1X3wUfdvZTwQGC17YFTN+OIYF9/62XTiZUEJ6y0I3nRvAxpaRHS

VVyh2KA89e5Llxv+bArgA6brykRHFk5I7e7krrflPoQJ0o1oKhb8DshnxAk65v/H

xTPLq9gac81AY8rWnrTCZcO+inCan/IlOKDXnVCUfZATtAOOIQ6Mf9KwuAeyE9xu

4dUO0vF5juFU6hK8SR//apf0JF+zejq5wnEhc1o/sWVpKQkakYayJ+4Hnlx+G6Ra

bJ3ZYQv4U/kUx0Q43qvvwhx0qdZ79BUpqPTxLeBzwVG6q5ys8eZY988YcIg11NY9

+qC4cFGBsbMuWSispichDN5wEJ9C9UrdKRGsAztz0j1GTiJcXPnBH+vTeULh7Spx

GmLbJWyj3tg+QaefDPo4aaIpZCZV0BFSy41fgoBB+rZ45wNgRiDuDuHue2WY28PC

dGrAuXzQTUeEUYqN2zL2DhiYD/6/Y+/BCUS/kO0w3x0J7ityoSlyVJ+cf84FYmtB

zmPIqgjDZS/NGC0OWgUBWxzspADETmwpZDCz8MJHK99nbAcYz3AybW6307NCJTKp

gPfH6RyTrDzoijIweHUeU2pANpDjbp53UKV5/WyEvbjvy9maf1Jze60zS7EFgZ/n

ZEe+eQbSY5SGtTWCB3mMbOTFvDH0QKGbfj6EX2Z+P+RZEeU/xzMOejcBbOO7XpgV

+Uryt+NgcocTtg/5YjVkAdMeVz9A/XdGydAy7hE2FwFI1hJTl/aI4ZaAKV34xH2r

J4/VstlG8ongv9zMNaS4Xl1n3wk6W3oAUmqWdoYYyDsocIBl1he1oP588Capa7OL

NLYDl3llQXbyah1A//xJsH5M8KiB0MlJ0qSSp0U7LXmxDP3dw3kcR9XgOX835Bpi

NlOPQDfzYZyKN6sIGDcuxwQPdOg2EQZxI3W5xp+oHTM/yTuqo/5vpOIlMdwqfQ/R

HGLVyyQ0yO3oIMxiE56jSnrhjj/H/bJJAMMUBXI6pi18JCv24cTjVsXGjsf4jH7g

9uGmoecX/Sx77Sx+814aO0Qkm0WzadLagKoz1nOV1hmeSan1nFnXkE94VqIJ9YTV

qnLrY0JYjpI2ywkW4wCscjVMIxkAfhifc31v4LWUnTMO0Y+xqO89v1hKbSYkZYYs

psrxnomXJq/RqjfZBhF3f+0aTNxpvlJnGOjnlT0qX1yHBOr+bmkcTIhL7pKA+qK1

fZD8834wTLrRcFiPD7pX6/zglMEG4PUf1RoDC0+3Ud8qa2SqfyYZeFm8+9yFsFnZ

RYFkMTowIwYJKoZIhvcNAQkUMRYeFABDAEEAQwBUAEUAUwBUACAAQwBBMBMGCSqG

SIb3DQEJFTEGBAQAAAABMDswHzAHBgUrDgMCGgQUoiKIky5oqgCxt5DnJxWNQvZ1

WecEFDabnXfA8sLdfwIXx9AexvOOS0gpAgID+w==

-----END CERTIFICATE-----

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170313/052e03e8/attachment-0001.html>

More information about the openssl-users mailing list